fix(admin): security-audit findings — paginate chapters, lock down unchecked helper (0.41.2)

Addresses the security-audit findings on top of the admin feature stack:

M1: /admin/mangas/:id/chapters now paginates (default limit 200, max 500).
A long-runner with thousands of chapters would otherwise produce a multi-MB
response with that many scalar subqueries per row — admin-only but a real
stall risk on one expand-click. Adds explicit pagination tests for the cap
and offset; frontend renders a "Showing first N of M" hint when the cap
clips the result.

L1: repo::user::set_is_admin renamed to set_is_admin_unchecked with a
doc-comment pointing at admin_safe_set_is_admin for production use. The
short name was a footgun — a future contributor reaching for it would
silently bypass self-protection, the last-admin invariant, and the audit
log. Used only by integration-test setup; production code goes through
the admin_safe_* paths.

CSRF posture: build_session_cookie carries a comment that the
SameSite=Lax default is the project's CSRF defense for state-changing
mutations and breaks the instant anyone adds a side-effecting GET under
/admin/*. Spells out what to do then (Strict + explicit token check).

Test counts: 43 backend admin tests + 12 vitest admin tests all green;
svelte-check 0/0 across 446 files.

backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.41.1"
+version = "0.41.2"
 edition = "2021"
 default-run = "mangalord"
 

backend/src/api/admin/mangas.rs

@@ -25,6 +25,18 @@ pub fn routes() -> Router<AppState> {
         .route("/admin/mangas/:id/chapters", get(list_chapters))
 }
 
+#[derive(Debug, Deserialize, Default)]
+pub struct ListChaptersParams {
+    #[serde(default = "default_chapter_limit")]
+    pub limit: i64,
+    #[serde(default)]
+    pub offset: i64,
+}
+
+fn default_chapter_limit() -> i64 {
+    200
+}
+
 #[derive(Debug, Deserialize, Default)]
 pub struct ListMangasParams {
     #[serde(default)]
@@ -76,12 +88,23 @@ async fn list_chapters(
     State(state): State<AppState>,
     _admin: RequireAdmin,
     Path(manga_id): Path<Uuid>,
-) -> AppResult<Json<Vec<AdminChapterRow>>> {
+    Query(params): Query<ListChaptersParams>,
+) -> AppResult<Json<PagedResponse<AdminChapterRow>>> {
     // Explicit existence check so a typo / deleted manga returns 404
     // rather than a misleading "no chapters" 200.
     if !repo::manga::exists(&state.db, manga_id).await? {
         return Err(AppError::NotFound);
     }
-    let rows = repo::admin_view::list_chapters_with_sync_state(&state.db, manga_id).await?;
-    Ok(Json(rows))
+    // Cap at 500 to bound the per-row scalar-subquery cost on
+    // long-runners with thousands of chapters; default 200 covers
+    // typical browsing without paging round-trips.
+    let limit = params.limit.clamp(1, 500);
+    let offset = params.offset.max(0);
+    let q = repo::admin_view::ListAdminChaptersQuery {
+        manga_id,
+        limit,
+        offset,
+    };
+    let (items, total) = repo::admin_view::list_chapters_with_sync_state(&state.db, &q).await?;
+    Ok(Json(PagedResponse::with_total(items, limit, offset, total)))
 }

backend/src/api/auth.rs

@@ -309,6 +309,18 @@ async fn start_session(
     Ok(jar.add(build_session_cookie(raw, &state.auth)))
 }
 
+// CSRF posture: `SameSite=Lax` is the project's primary CSRF defense.
+// Browsers refuse to attach this cookie to cross-site POST / PATCH /
+// DELETE requests, which covers every state-changing endpoint (auth
+// mutations, uploads, bookmarks, collections, admin user management,
+// etc. — all JSON over POST/PATCH/DELETE). Lax DOES still attach the
+// cookie on top-level cross-site GETs, so this defense breaks the
+// instant anyone adds a state-changing GET. If you reach for one,
+// switch to `SameSite=Strict` here AND add an explicit CSRF-token
+// check on the new endpoint. The Bearer-token branch in the
+// extractor is unaffected (bots authenticate with the token header,
+// not the cookie) and admin routes reject Bearer entirely — see
+// `auth::extractor::RequireAdmin`.
 fn build_session_cookie(raw: String, cfg: &AuthConfig) -> Cookie<'static> {
     let mut builder = Cookie::build((SESSION_COOKIE_NAME, raw))
         .http_only(true)

backend/src/repo/admin_view.rs

@@ -166,11 +166,23 @@ pub struct AdminChapterRow {
     pub latest_seen_at: Option<DateTime<Utc>>,
 }
 
+#[derive(Debug, Default)]
+pub struct ListAdminChaptersQuery {
+    pub manga_id: Uuid,
+    pub limit: i64,
+    pub offset: i64,
+}
+
+/// Paginated chapter list with derived sync state. Pagination is non-
+/// optional — long-runners can have thousands of chapters and the
+/// per-row scalar subqueries make the unbounded variant a real
+/// stall risk even behind an admin guard. Returns the page slice plus
+/// the unfiltered total so the UI can render "showing N of M".
 pub async fn list_chapters_with_sync_state(
     pool: &PgPool,
-    manga_id: Uuid,
-) -> AppResult<Vec<AdminChapterRow>> {
-    let rows: Vec<AdminChapterRow> = sqlx::query_as(
+    q: &ListAdminChaptersQuery,
+) -> AppResult<(Vec<AdminChapterRow>, i64)> {
+    let items: Vec<AdminChapterRow> = sqlx::query_as(
         r#"
         SELECT
             c.id, c.manga_id, c.number, c.title, c.page_count, c.created_at,
@@ -202,10 +214,19 @@ pub async fn list_chapters_with_sync_state(
           FROM chapters c
          WHERE c.manga_id = $1
          ORDER BY c.number ASC
+         LIMIT $2 OFFSET $3
         "#,
     )
-    .bind(manga_id)
+    .bind(q.manga_id)
+    .bind(q.limit)
+    .bind(q.offset)
     .fetch_all(pool)
     .await?;
-    Ok(rows)
+
+    let total: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM chapters WHERE manga_id = $1")
+        .bind(q.manga_id)
+        .fetch_one(pool)
+        .await?;
+
+    Ok((items, total))
 }

backend/src/repo/user.rs

@@ -114,7 +114,12 @@ pub async fn list_with_total(
     Ok((items, total))
 }
 
-pub async fn set_is_admin(pool: &PgPool, id: Uuid, value: bool) -> AppResult<()> {
+/// Raw `is_admin` update with no safety checks, no audit log, and no
+/// advisory lock. Exists only as a test setup helper for the admin-
+/// feature integration suite — production code MUST go through
+/// [`admin_safe_set_is_admin`], which enforces self-protection, the
+/// last-admin invariant, and the audit log atomically.
+pub async fn set_is_admin_unchecked(pool: &PgPool, id: Uuid, value: bool) -> AppResult<()> {
     sqlx::query("UPDATE users SET is_admin = $1 WHERE id = $2")
         .bind(value)
         .bind(id)

backend/tests/api_admin_mangas.rs

@@ -24,7 +24,7 @@ async fn seed_admin(pool: &PgPool, app: &Router) -> (String, String) {
         .await
         .unwrap()
         .unwrap();
-    repo::user::set_is_admin(pool, u.id, true).await.unwrap();
+    repo::user::set_is_admin_unchecked(pool, u.id, true).await.unwrap();
     (username, cookie)
 }
 
@@ -107,6 +107,25 @@ async fn insert_job(pool: &PgPool, payload: serde_json::Value, state: &str) {
         .unwrap();
 }
 
+/// Per-variant tests don't care about pagination — fetch the whole
+/// chapter set (up to the hard cap) and discard the total.
+async fn fetch_chapter_rows(
+    pool: &PgPool,
+    manga_id: Uuid,
+) -> Vec<mangalord::repo::admin_view::AdminChapterRow> {
+    let (rows, _) = repo::admin_view::list_chapters_with_sync_state(
+        pool,
+        &repo::admin_view::ListAdminChaptersQuery {
+            manga_id,
+            limit: 500,
+            offset: 0,
+        },
+    )
+    .await
+    .unwrap();
+    rows
+}
+
 // ---- manga sync state ------------------------------------------------------
 
 #[sqlx::test(migrations = "./migrations")]
@@ -257,9 +276,7 @@ async fn chapter_state_synced_when_pages_present(pool: PgPool) {
     let c = insert_chapter(&pool, m, 1, 12).await;
     insert_chapter_source(&pool, c, "ckey-1", false).await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(rows.len(), 1);
     assert_eq!(rows[0].id, c);
     assert_eq!(rows[0].sync_state, mangalord::domain::ChapterSyncState::Synced);
@@ -272,9 +289,7 @@ async fn chapter_state_not_downloaded_when_page_count_zero(pool: PgPool) {
     let c = insert_chapter(&pool, m, 1, 0).await;
     insert_chapter_source(&pool, c, "ckey-1", false).await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(
         rows[0].sync_state,
         mangalord::domain::ChapterSyncState::NotDownloaded
@@ -299,9 +314,7 @@ async fn chapter_state_downloading_when_job_in_flight(pool: PgPool) {
     )
     .await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(
         rows[0].sync_state,
         mangalord::domain::ChapterSyncState::Downloading
@@ -315,9 +328,7 @@ async fn chapter_state_dropped_when_all_sources_dropped(pool: PgPool) {
     let c = insert_chapter(&pool, m, 1, 0).await;
     insert_chapter_source(&pool, c, "ckey-1", true).await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(
         rows[0].sync_state,
         mangalord::domain::ChapterSyncState::Dropped
@@ -342,9 +353,7 @@ async fn chapter_state_failed_when_most_recent_job_dead(pool: PgPool) {
     )
     .await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(
         rows[0].sync_state,
         mangalord::domain::ChapterSyncState::Failed
@@ -415,12 +424,67 @@ async fn http_list_chapters_returns_per_chapter_state(pool: PgPool) {
         .unwrap();
     assert_eq!(resp.status(), StatusCode::OK);
     let body = common::body_json(resp).await;
-    let items = body.as_array().unwrap();
+    let items = body["items"].as_array().unwrap();
     assert_eq!(items.len(), 2);
     assert_eq!(items[0]["id"], c1.to_string());
     assert_eq!(items[0]["sync_state"], "synced");
     assert_eq!(items[1]["id"], c2.to_string());
     assert_eq!(items[1]["sync_state"], "not_downloaded");
+    assert_eq!(body["page"]["total"], 2);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn http_list_chapters_caps_limit_at_500(pool: PgPool) {
+    // The handler clamps limit to [1, 500] so a long-runner with
+    // thousands of chapters can't be turned into a request-stall by an
+    // admin (or by a curious admin tab) just clicking expand.
+    let h = common::harness(pool.clone());
+    let (_admin, cookie) = seed_admin(&pool, &h.app).await;
+    seed_source(&pool).await;
+    let m = insert_manga(&pool, "M").await;
+    for n in 1..=3 {
+        let _c = insert_chapter(&pool, m, n, 0).await;
+    }
+    let resp = h
+        .app
+        .oneshot(common::get_with_cookie(
+            &format!("/api/v1/admin/mangas/{m}/chapters?limit=999"),
+            &cookie,
+        ))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["page"]["limit"], 500, "limit must clamp to 500");
+    assert_eq!(body["items"].as_array().unwrap().len(), 3);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn http_list_chapters_paginates(pool: PgPool) {
+    let h = common::harness(pool.clone());
+    let (_admin, cookie) = seed_admin(&pool, &h.app).await;
+    seed_source(&pool).await;
+    let m = insert_manga(&pool, "M").await;
+    for n in 1..=5 {
+        let _c = insert_chapter(&pool, m, n, 0).await;
+    }
+
+    let resp = h
+        .app
+        .clone()
+        .oneshot(common::get_with_cookie(
+            &format!("/api/v1/admin/mangas/{m}/chapters?limit=2&offset=2"),
+            &cookie,
+        ))
+        .await
+        .unwrap();
+    let body = common::body_json(resp).await;
+    let items = body["items"].as_array().unwrap();
+    assert_eq!(items.len(), 2);
+    // Ordered by chapter number ascending; offset=2 skips chapters 1 & 2.
+    assert_eq!(items[0]["number"], 3);
+    assert_eq!(items[1]["number"], 4);
+    assert_eq!(body["page"]["total"], 5);
 }
 
 #[sqlx::test(migrations = "./migrations")]
@@ -463,9 +527,7 @@ async fn chapter_state_synced_when_pages_present_even_with_dead_job(pool: PgPool
     )
     .await;
 
-    let rows = repo::admin_view::list_chapters_with_sync_state(&pool, m)
-        .await
-        .unwrap();
+    let rows = fetch_chapter_rows(&pool, m).await;
     assert_eq!(
         rows[0].sync_state,
         mangalord::domain::ChapterSyncState::Synced,

backend/tests/api_admin_role.rs

@@ -189,7 +189,7 @@ async fn require_admin_accepts_admin_cookie(pool: PgPool) {
         .await
         .unwrap()
         .unwrap();
-    repo::user::set_is_admin(&pool, u.id, true).await.unwrap();
+    repo::user::set_is_admin_unchecked(&pool, u.id, true).await.unwrap();
 
     let resp = app
         .oneshot(common::get_with_cookie("/_test/admin_only", &cookie))
@@ -216,7 +216,7 @@ async fn require_admin_rejects_bearer_token_even_for_admin_user(pool: PgPool) {
         .await
         .unwrap()
         .unwrap();
-    repo::user::set_is_admin(&pool, u.id, true).await.unwrap();
+    repo::user::set_is_admin_unchecked(&pool, u.id, true).await.unwrap();
 
     let resp = app
         .clone()

backend/tests/api_admin_system.rs

@@ -20,7 +20,7 @@ async fn seed_admin(pool: &PgPool, app: &Router) -> String {
         .await
         .unwrap()
         .unwrap();
-    repo::user::set_is_admin(pool, u.id, true).await.unwrap();
+    repo::user::set_is_admin_unchecked(pool, u.id, true).await.unwrap();
     cookie
 }
 

backend/tests/api_admin_users.rs

@@ -35,7 +35,7 @@ async fn seed_admin(pool: &PgPool, app: &Router) -> (String, String, Uuid) {
         .await
         .unwrap()
         .unwrap();
-    repo::user::set_is_admin(pool, u.id, true).await.unwrap();
+    repo::user::set_is_admin_unchecked(pool, u.id, true).await.unwrap();
     (username, cookie, u.id)
 }